RBAC permissions resets on required fields when restarting Strapi

[erinnovations]

Bug report

Required System information

• Node.js version: 18.16.0
• NPM version: 9.6.7
• Strapi version: 4.10.5, 4.10.6, 4.10.7
• Database: Postgres
• Operating system: Windows
• Is your project Javascript or Typescript: Typescript

Describe the bug

RBAC permissions resets on required fields when restarting Strapi

Steps to reproduce the behavior

1. Create a require field
2. Remove all the RBAC permissions (Create, Read, Update) for that field in a Role
3. Save it
4. It will work fine
5. Restart Strapi and now every RBAC permissions is resets for Create, Read, Update, and the Users in the Role can access the field again.

Expected behavior

Even if its a required field RBAC permissions shouldn't reset to it default (allow) on that field. This is unexpected and cause security issues, because you believe the Role can't access or change that field.

[huy-lv]

hey, what is the current status of this issue

[vimanvh]

Would it please be possible to fix this major security issue? It is not possible to implement even basic scenarios with RBAC.

[pcriadoperez]

I'm seeing the same issue for custom controllers. Is there any fix on the way?